Newly Patched WinRAR Vulnerability Existed for 19 Years

The year 2000 was historic for a few reasons beyond the obvious emotional resonance of rolling over all the digits. There was a contested US presidential election, Y2K turned out to be overblown, and it was the first year those New Year’s glasses with the eye holes in the zeros made sense. It was also the year WinRAR introduced a serious vulnerability into its Windows application. That bug was just discovered after 19 years by researchers at Check Point Software. Oops.

WinRAR is a file archiving tool that has existed since the mid-90s. Back then, Windows didn’t know how to handle ZIP archives on its own, so software like WinRAR was necessary. Windows Explorer (now just called File Explorer) got smarter over the years, but WinRAR and the like didn’t go away. These programs supported more file archive types and features than plain old Windows.

Since the vulnerability has been active for so long, Check Point estimates around 500 million people are potentially impacted. Think back — did you ever install WinRAR on a PC? A lot of us did, and it turns out it could have been used to take over your computer. The problem lies in one of the lesser-used features of WinRAR. In addition to the popular ZIP format, WinRAR has supported ACE archives since 2000. This format is incredibly rare now, but it was popular around 1999-2001. It turns out an Ace archive can act as a trojan horse to install malware on a PC via WinRAR.

The hack involves hiding your malware inside an ACE archive, which is obscured from antivirus inside the container. Next, the hacker would rename the ACE to a .RAR archive. When executed, the archive can specify an arbitrary file path to extract the malware. For example, WinRAR could place an executable in the Windows startup folder. The program doesn’t throw any errors when this happens, and the malicious archive can even output the file you expected in another directory to keep up appearances.

WinRAR responded to Check Point’s report swiftly, issuing 5.70 beta 1 update. That removes support for ACE archives, which will disappoint essentially no one. It is unknown if anyone used this vulnerability between 2000 and now, but 19 years is a long time. It’s impossible to know for sure, but at least this file format of the past won’t come back to bite you in the future.